System Center 2012 Configuration Manager uses site system roles to support operations at each site. Computers that host the Configuration Manager site are named site servers, and computers that host the other site system roles are named site system servers. The site server is also a site system server.

Site system servers within the same site communicate with each other by using server message block (SMB), HTTP, or HTTPS, depending on the site configuration selections that you make. Because these communications are unmanaged and can occur at any time without network bandwidth control, review your available network bandwidth before you install site system servers and configure the site system roles.

At each site, you can install available site system roles on the site server or install one or more site system roles on another site system server. Configuration Manager does not limit the number of site system roles that you can run on a single site system server. However, Configuration Manager does not support site system roles from different sites on the same site system server. Additionally, Configuration Manager supports some site system roles only at specific sites in a hierarchy, and some site system roles have other limitations as to where and when you can install them.

Configuration Manager uses the Site System Installation Account to install site system roles. You specify this account when you run the applicable wizard to create a new site system server or add site system roles to an existing site system server. By default, this account is the local system account of the site server computer, but you can specify a domain user account for use as the Site System Installation Account. For more information about this account, see the Site System Installation Account in the Technical Reference for Accounts Used in Configuration Manager topic.

With Configuration Manager SP1, you can configure a proxy server on each site system server for use by all site system roles installed on that computer. This is not a new site system role, but a configuration for site system server computers.

The following are new for site system roles in System Center 2012 R2 Configuration Manager:

There is a new site system role, the certificate registration point. This new site system role requires IIS and works in conjunction with a policy module plugin for the Network Device Enrollment Service server role for Active Directory Domain Services that runs on Windows Server 2012 R2. This solution provides certificate enrollment for devices that Configuration Manager manages.

When you install a site, several site system roles automatically are installed on the servers that you specify during Setup. After a site is installed, you can install additional site system roles on those servers or on additional computers that you decide to use as site system servers. The following sections identify the default site system roles and the optional site system roles that are available in Configuration Manager.

When you install a Configuration Manager site, several default site system roles are automatically installed for the site. These site system roles are required for the core operation of each site and although some default site system roles can be moved to other servers, they cannot be removed from the site. Additionally, some default site system roles are installed on additional site system servers when you install optional site system roles.

The default site system roles are described in the following table.

Site system role

Description

Configuration Manager site server

The site server role is automatically installed on the server from which you run Configuration Manager Setup when you install a central administration site or primary site. When you install a secondary site, the site server role is installed on the server that you specify as the secondary site server.

Configuration Manager site system

Site systems are computers that provide Configuration Manager functionality to a site. Each site system hosts one or more site system roles. Most site system roles are optional, and you install them only if you have to use them for specific management tasks. Other site system roles are automatically installed on a site system and cannot be configured.

This role is assigned during Configuration Manager site installation or when you add an optional site system role to another server.

Configuration Manager component site system role

Any site system that runs the SMS Executive service also installs the component site system role.

This role is required to support other roles, such as a management point, and it is installed and removed with the other site system roles.

This role is always assigned to the site server when you install Configuration Manager.

Configuration Manager site database server

The site database server is a computer that runs a supported version of Microsoft SQL Server, and it stores information for Configuration Manager sites, such as discovery data, hardware and software inventory data, and configuration and status information.

Each site in the Configuration Manager hierarchy contains a site database and a server that is assigned the site database server role. You can install SQL Server on the site server, or you can reduce the CPU usage of the site server when you install SQL Server on a computer other than the site server. Secondary sites can use SQL Server Express instead of a full SQL Server installation.

The site database can be installed on the default instance of SQL Server or on a named instance on a single computer that is running SQL Server. It can be installed on a named instance on a SQL Server cluster.

Typically, a site system server supports site systems roles from a single Configuration Manager site only; however, you can use different instances of SQL Server on clustered or non-clustered servers running SQL Server to host the database for different Configuration Manager sites. For this configuration, you must configure each instance of SQL Server to use different ports.

This role is installed when you install Configuration Manager.

SMS Provider

The SMS Provider is the interface between the Configuration Manager console and the site database. This role is installed when you install a central administration site or primary site. Secondary sites do not install the SMS Provider. You can install the SMS Provider on the site server, the site database server (unless the site database is hosted on a clustered instance of SQL Server), or on another computer. You can also move the SMS Provider to another computer after the site is installed, or install multiple SMS Providers on additional computers. To move or install additional SMS Providers for a site, run Configuration Manager Setup, select the option Perform site maintenance or reset the Site, click Next , and then on the Site Maintenance page, select the option Modify SMS Provider configuration.

Note

The SMS Provider is only supported on computers that are in the same domain as the site server.

Optional site system roles are site system roles that are not required for the core operation of a Configuration Manager site. However, by default, the management point and distribution point, which are optional site system roles, are installed on the site server when you install a primary or secondary site. Although these two site system roles are not required for the core operation of the site, you must have at least one management point to support clients at those locations. After you install a site, you can move the default location of the management point or distribution point to another server, install additional instances of each site system role, and install other optional site system roles to meet your business requirements.

The optional site system roles are described in the following table.

Site system role

Description

Application Catalog web service point

A site system role that provides software information to the Application Catalog website from the Software Library.

Application Catalog website point

A site system role that provides users with a list of available software from the Application Catalog.

Asset Intelligence synchronization point

A site system role that connects to Microsoft to download Asset Intelligence catalog information and upload uncategorized titles so that they can be considered for future inclusion in the catalog. This site system role can only be installed on the central administration site or a stand-alone primary site. For more information about planning for Asset Intelligence, see Prerequisites for Asset Intelligence in Configuration Manager.

Certificate registration point

A site system role that communicates with a server that runs the Network Device Enrollment Service to manage device certificate requests that use the Simple Certificate Enrollment Protocol (SCEP).

Important

The certificate registration point must not be installed on the same server that runs the Network Device Enrollment Service.

Distribution point

A site system role that contains source files for clients to download, such as application content, software packages, software updates, operating system images, and boot images. You can control content distribution by using bandwidth, throttling, and scheduling options. For more information, see Planning for Content Management in Configuration Manager.

Fallback status point

A site system role that helps you monitor client installation and identify the clients that are unmanaged because they cannot communicate with their management point.

Management point

A site system role that provides policy and service location information to clients and receives configuration data from clients.

You must install at least one management point at each primary site that manages clients, and at each secondary site where you want to provide a local point of contact for clients to obtain computer and user polices.

Endpoint Protection point

A site system role that Configuration Manager uses to accept the Endpoint Protection license terms and to configure the default membership for Microsoft Active Protection Service.

Enrollment point

A site system role that uses PKI certificates for Configuration Manager to enroll mobile devices and Mac computers, and to provision Intel AMT-based computers

Enrollment proxy point

A site system role that manages Configuration Manager enrollment requests from mobile devices and Mac computers.

Out of band service point

A site system role that provisions and configures Intel AMT-based computers for out of band management.

During normal operation, several Configuration Manager site system roles require connections to the Internet. Typically, this connection is made in the system context of the computer where the site system role is installed and cannot use a proxy configuration for typical user accounts. When a proxy server is required to complete a connection to the Internet, you must configure the computer to use a proxy server. For Configuration Manager with no service pack, you must manually configure the proxy server for the system context outside of Configuration Manager. Beginning with Configuration Manager SP1, you can use the Configuration Manager console to configure each site system server to use a proxy server. This proxy server configuration is used by each applicable site system role that is installed on that computer. For example, a software update point might connect to Microsoft to download updates, and with Configuration Manager SP1 when you use a cloud-based distribution point, the primary site server that manages the cloud-based distribution point must connect to Windows Azure.

The following table identifies the site system roles that can use a proxy server:

Site system role

Configuration Manager version

Details

Asset Intelligence synchronization point

System Center 2012 Configuration Manager with no service pack

System Center 2012 Configuration Manager with SP1

System Center 2012 R2 Configuration Manager

This site system role connects to Microsoft and will use a proxy server configuration on the computer that hosts the Asset Intelligence synchronization point.

Cloud-based distribution point

System Center 2012 Configuration Manager with SP1

System Center 2012 R2 Configuration Manager

When you use a cloud-based distribution point, the primary site that manages the cloud-based distribution point must be able to connect to Windows Azure to provision, monitor, and distribute content to the distribution point.

If a proxy server is required for this connection, you must configure the proxy server on the primary site server. You cannot configure a proxy server on the cloud-based-distribution point in Windows Azure.

This site system role connects to an Exchange Server and will use a proxy server configuration on the computer that hosts the Exchange Server connector.

Software updates point

System Center 2012 Configuration Manager with no service pack

System Center 2012 Configuration Manager with SP1

System Center 2012 R2 Configuration Manager

This site system role can require connections to Microsoft Update to download patches and synchronize information about updates. With Configuration Manager with no service pack you can configure proxy server settings for the active software update point. With Configuration Manager SP1, proxy server options are only available for the software update point when there is already a proxy configured for the site system server.

This site system role connects to Microsoft Intune and will use a proxy server configuration on the computer that hosts the Microsoft Intune connector.

Beginning with Configuration Manager SP1 you can configure the proxy server for a site system server when you install a site system role by using the Add Site System Roles Wizard or the Create Site System Server Wizard. After you have installed a site system server, you can configure a proxy server by editing the properties for the site system server. Each site system server supports only a single proxy server configuration. If you configure a new proxy server when you install site system role or edit the site system server properties, the new proxy server configuration replaces the previously configured proxy server for that site system server.

The proxy server configuration is shared by all site system roles that run on a computer. There is no support for individual site system roles that run on the same computer to use different proxy server configurations. If you require different site system roles to use different proxy servers, you must install the site system roles on different site system server computers.

Typically, when you configure the proxy server, each site system role on that computer that supports using the proxy server will use the proxy server with no additional configuration required. An exception to this is the software update point. By default, a software update point does not use an available proxy server unless you also enable the following options when you configure the software update point:

Use a proxy server when synchronizing software updates

Use a proxy server when downloading content by using automatic deployment rules

Tip

A proxy server must be configured on the site system server that hosts the software update point before you can select either option. The proxy server is only used for the specific options you select.

Because each site system server supports a single proxy server configuration, if you add a new site system role to a computer and specify a different proxy server configuration than is already configured, the new replaces the previous proxy server configuration. Similarly, after you configure a proxy server for a site system server, if you edit the properties of the site system and change the proxy server configuration, this new configuration replaces the previous proxy server configuration.

Before you install site system roles, identify the site types that can or cannot support specific site system roles, and how many instances of each site system role you can install at a site or across a hierarchy.

You can install some site system roles at only the top-level site in a hierarchy. A top-level site can be a central administration site of a multi-primary site hierarchy or a stand-alone primary site if your hierarchy consists of a single primary site with one or more secondary child sites.

Additionally, some site system roles support only a single instance per hierarchy. However, most site system roles support multiple instances across the hierarchy and at individual sites.

Use the following table to identify the site system roles that you can install at each type of site in a System Center 2012 Configuration Manager hierarchy, and whether the site system role provides functionality for its site only, or for the entire hierarchy. You can install any supported site system role on the site server computer or on a remote site system server at a central administration site or primary site. At a secondary site, only the distribution point is supported on a remote site system server.

Site system role

Central administration site

Child primary site

Stand-alone primary site

Secondary site

Site-specific or hierarchy-wide option

Application Catalog web service point

No

Yes

Yes

No

Hierarchy

Application Catalog website point

No

Yes

Yes

No

Hierarchy

Asset Intelligence synchronization point1

Yes

No

Yes

No

Hierarchy

Certificate registration point

Yes

Yes

Yes

No

Hierarchy

Distribution point2, 5

No

Yes

Yes

Yes

Site

Fallback status point

No

Yes

Yes

No

Hierarchy

Management point2, 3, 5

No

Yes

Yes

Yes

Site

Endpoint Protection point

Yes

No

Yes

No

Hierarchy

Enrollment point

No

Yes

Yes

No

Site

Enrollment proxy point

No

Yes

Yes

No

Site

Out of band service point

No

Yes

Yes

No

Site

Reporting services point

Yes

Yes

Yes

No

Hierarchy

Software update point 4, 5

Yes

Yes

Yes

Yes

Site

State migration point5

No

Yes

Yes

Yes

Site

System Health Validator point

Yes

Yes

Yes

No

Hierarchy

Microsoft Intune connector

Yes

No

Yes

No

Hierarchy

1 Configuration Manager supports only a single instance of this site system role in a hierarchy.

2 By default, when you install a secondary site, a management point and a distribution point are installed on the secondary site server.

3 This role is required to support clients in Configuration Manager. Secondary sites do not support more than one management point and this management point cannot support mobile devices that are enrolled by Configuration Manager. For more information about the site system roles that support clients in Configuration Manager, see Determine the Site System Roles for Client Deployment in Configuration Manager.

4 When your hierarchy contains a central administration site, install a software update point at this site that synchronizes with Windows Server Update Services (WSUS) before you install a software update point at any child primary site. When you install software update points at a child primary site, configure it to synchronize with the software update point at the central administration site.

5 Prior to System Center 2012 R2 Configuration Manager, all site system roles at a secondary site must be located on the site server computer. The only exception is the distribution point. Secondary sites support installing distribution points on the site server computer and on remote computers. Beginning with System Center 2012 R2 Configuration Manager, the state migration point can also be installed on the site server computer or on a remote computer, and can be co-located with a distribution point.

Use the following table to help you decide where to install the site system roles.

Site system role

Considerations

Application Catalog website point

When the Application Catalog supports client computers on the Internet, as a security best practice, install the Application Catalog website point in a perimeter network and the Application Catalog web service point on the intranet.

Asset Intelligence synchronization point

Configuration Manager supports a single instance of this site system role in a hierarchy and only at the top-level site in the hierarchy.

Certificate registration point

Configuration Manager supports multiple instances of this site system role at each primary site or central administration site. In this scenario, clients are non-deterministically assigned to one of the certificate registration points, to help load balance certificate requests. However, a single certificate registration point can provide functionality to an entire hierarchy.

Important

The certificate registration point must not be installed on the same server that runs the Network Device Enrollment Service.

Each certificate registration point requires access to a separate instance of a Network Device Enrollment Service. You cannot configure two or more certificate registration points to use the same Network Device Enrollment Service.

Endpoint Protection point

Configuration Manager supports a single instance of this site system role in a hierarchy and only at the top-level site in the hierarchy.

Enrollment point

If a user enrolls mobile devices by using Configuration Manager and their Active Directory account is in a forest that is untrusted by the site server's forest, you must install an enrollment point in the user’s forest so that the user can be authenticated.

Enrollment proxy point

When you support mobile devices on the Internet, as a security best practice, install the enrollment proxy point in a perimeter network and the enrollment point on the intranet.

Fallback status point

Although you can install more than one fallback status point in a primary site, clients can be assigned to only one fallback status point and this assignment occurs during client installation:

If you install clients by using client push installation, the first fallback status point that is installed for the site is automatically assigned to clients.

If you have two fallback status points in the site so that one fallback status point accepts client connections from the Internet (for example, it is in a perimeter network), and the other fallback status point accepts client connections on the intranet only, assign the Internet-based clients to the Internet-based fallback status point.

Management point

You cannot install a System Center 2012 Configuration Manager management point on a server that has a Configuration Manager 2007 client installed. You must first uninstall the Configuration Manager 2007 client.

Out of band service point

Install this site system to support out of band management for Intel AMT-based computers. In Configuration Manager, this site system must be installed in a primary site that also contains the enrollment point.

The out of band service point cannot provision AMT-based computers in a different forest.

Software update point

Install this site system in the central administration site to synchronize with Windows Server Update Services and in all primary sites that use the Software Updates feature. Also consider installing a software update point in secondary sites when data transfer across the network is slow.

State migration point

Install this site system role in either a primary site or a secondary site. Consider installing a state migration point in secondary sites when data transfer across the network is slow.

Reporting services point

Install this site system role in the central administration site and at any primary site.

Note

A reporting services point installed in a primary site rather than a central administration site can display data from that primary site only.

Distribution point

Install this site system role in primary sites and secondary sites to distribute software to clients by using Background Intelligent Transfer Service (BITS), Windows BranchCache, multicast for operating system deployment, and streaming for application virtualization.

Note

When the distribution point is offline or in sleep mode from a power management policy, for example, software deployments might fail.

Microsoft Intune connector

Configuration Manager supports a single instance of this site system role in a hierarchy and only at the top-level site in the hierarchy.

The site database server is a computer that runs a supported version of Microsoft SQL Server that stores information for Configuration Manager sites. Each site in a System Center 2012 Configuration Manager hierarchy contains a site database and a server that is assigned the site database server role. For central administration sites and primary sites, you can install SQL Server on the site server, or you can install SQL Server on a computer other than the site server. For secondary sites, you can use SQL Server Express instead of a full SQL Server installation; however, the database server must be co-located with the site server.

You can install the site database on the default instance of SQL Server, a named instance on a single computer running SQL Server, or on a named instance on a clustered instance of SQL Server.

Typically, a site system server supports site system roles from only a single Configuration Manager site; however, you can use different instances of SQL Server, on clustered or non-clustered servers running SQL Server, to host a database from different Configuration Manager sites. To support databases from different sites, you must configure each instance of SQL Server to use unique ports for communication.

To successfully configure a SQL Server installation for use as a Configuration Manager site database server, ensure that the following required SQL Server configurations are specified. Also, be familiar with the optional configurations and planning for service principal names (SPNs), database server location planning, and how to modify the database configuration after a site has completed installation.

At a central administration site and at primary sites, you can co-locate the database server on the site server, or place it on a remote server. At secondary sites, the database server is always co-located on the secondary site server.

If you use a remote database server computer, ensure the intervening network connection is a high-availability, high-bandwidth network connection. This is because the site server and some site system roles must constantly communicate with the SQL Server that is hosting the site database.

Consider the following when you select a remote database server location:

The amount of bandwidth required for communications to the database server depends upon a combination of many different site and client configurations; therefore, the actual bandwidth required cannot be adequately predicted.

Each computer that runs the SMS Provider and that connects to the site database increases network bandwidth requirements.

The computer that runs SQL Server must be located in a domain that has a two-way trust with the site server and all computers running the SMS Provider.

You cannot use a clustered SQL Server for the site database server when the site database is co-located with the site server.

A Service Principal Name (SPN) for the Configuration Manager site database server must be registered in Active Directory Domain Services for the SQL Server service account. The registered SPN lets SQL clients identify and authenticate the service by using Kerberos authentication.

When you configure SQL Server to use the local system account to run SQL Server services, the SPN is automatically created in Active Directory Domain Services. When a local domain user account is in use, you must manually register the SPN for the account. Without registering the SPN for the SQL Server service account, SQL clients and other site systems are not able to perform Kerberos authentication, and communication to the database might fail.

Important

Running the SQL Server service by using the local system account of the computer running SQL Server is not a SQL Server best practice. For the most secure operation of SQL Server site database servers, configure a low-rights domain user account to run the SQL Server service.

After you install a site, you can manage the configuration of the site database and site database server by running Setup on a central administration site server or primary site server. It is not supported to manage the database configuration for a secondary site.

By default, Configuration Manager generates alerts when free disk space on a site database server is low. The defaults are set to generate a warning when there is 10 GB or less of free disk space, and a critical alert when there is 5 GB or less of free disk space. You can modify these values or disable alerts for each site.

To change these settings:

In the Administration workspace, expand Site Configuration, and then click Sites.

Select the site that you want to configure and open that site’s Properties.

In the site’s Properties dialog box, select the Alert tab, and then edit the settings.

The SMS Provider is a Windows Management Instrumentation (WMI) provider that assigns read and write access to the Configuration Manager database at a site. The SMS Admins group provides access to the SMS Provider and Configuration Manager automatically creates this security group on the site server and on each SMS Provider computer. You must have at least one SMS Provider in each central administration site and primary site. These sites also support the installation of additional SMS Providers. Secondary sites do not install the SMS Provider.

The Configuration Manager console, Resource Explorer, tools, and custom scripts use the SMS Provider so that Configuration Manager administrative users can access information that is stored in the database. The SMS Provider does not interact with Configuration Manager clients. When a Configuration Manager console connects to a site, the Configuration Manager console queries WMI on the site server to locate an instance of the SMS Provider to use.

The SMS Provider helps enforce Configuration Manager security. It returns only the information that the administrative user who is running the Configuration Manager console is authorized to view.

Important

When each computer that holds an SMS Provider for a site is offline, Configuration Manager consoles cannot connect to that site’s database.

Before you install the SMS Provider on a computer, ensure that the computer meets the following prerequisites:

The computer must be in a domain that has a two-way trust with the site server and the site database site systems.

The computer cannot have a site system role from a different site.

The computer cannot have an SMS Provider from any site.

The computer must run an operating system that is supported for a site server.

The computer must have at least 650 MB of free disk space to support the Windows Automated Installation Kit (Windows AIK) components that are installed with the SMS Provider. For more information about Windows AIK and the SMS Provider, see the Operating System Deployment Requirements for the SMS Provider section in this topic.

When you install a site, the installation automatically installs the first SMS Provider for the site. You can specify any of the following supported locations for the SMS Provider:

The site server computer

The site database computer

A server-class computer that does not hold an SMS Provider, or a site system role from a different site

Each SMS Provider supports simultaneous connections from multiple requests. The only limitations on these connections are the number of server connections that are available on the SMS Provider computer, and the available resources on the SMS Provider computer to service the connection requests.

After a site is installed, you can run Setup on the site server again to change the location of an existing SMS Provider, or to install additional SMS Providers at that site. You can install only one SMS Provider on a computer, and a computer cannot install an SMS Provider from more than one site.

Use the following table to identify the advantages and disadvantages of installing an SMS Provider on each supported location.

Location

Advantages

Disadvantages

Configuration Manager site server

The SMS Provider does not use the system resources of the site database computer.

This location can provide better performance than an SMS Provider located on a computer other than the site server or site database computer.

The SMS Provider uses system and network resources that could be dedicated to site server operations.

SQL Server that is hosting the site database

The SMS Provider does not use site system resources on the site server.

This location can provide the best performance of the three locations, if sufficient server resources are available.

The SMS Provider uses system and network resources that could be dedicated to site database operations.

This location is not an option when the site database is hosted on a clustered instance of SQL Server.

Computer other than the site server or site database computer

SMS Provider does not use site server or site database computer resources.

This type of location lets you deploy additional SMS Providers to provide high availability for connections.

The SMS Provider performance might be reduced due to the additional network traffic that is required to coordinate with the site server and the site database computer.

This server must be always accessible to the site database computer and all computers with the Configuration Manager console installed.

This location can use system resources that would otherwise be dedicated to other services.

To view the locations of each SMS Provider that is installed at a site, view the General tab of the site Properties dialog box.

The SMS Provider operates independently of the display language of the computer where it is installed.

When an administrative user or Configuration Manager process requests data by using the SMS Provider, the SMS Provider attempts to return that data in a format that matches the operating system language of the requesting computer. The SMS Provider does not translate information from one language to another. Instead, when data is returned for display in the Configuration Manager console, the display language of the data depends on the source of the object and type of storage.

When data for an object is stored in the database, the languages that will be available depend on the following:

Objects that Configuration Manager creates are stored in the database by using support for multiple languages. The object is stored by using the languages that are configured at the site where the object is created when you run Setup. These objects are displayed in the Configuration Manager console in the display language of the requesting computer, when that language is available for the object. If the object cannot be displayed in the display language of the requesting computer, it is displayed in the default language, which is English.

Objects that an administrative user creates are stored in the database by using the language that was used to create the object. These objects display in the Configuration Manager console in this same language. They cannot be translated by the SMS Provider and do not have multiple language options.

After a site completes installation, you can install additional SMS Providers for the site. To install additional SMS Providers, run Configuration Manager Setup on the site server. Consider installing additional SMS Providers when any of the following is true:

You will have a large number of administrative users that run a Configuration Manager console and connect to a site at the same time.

You will use the Configuration Manager SDK, or other products, that might introduce frequent calls to the SMS Provider.

You want to ensure high availability for the SMS Provider.

When multiple SMS Providers are installed at a site and a connection request is made, the site non-deterministically assigns each new connection request to use an installed SMS Provider. You cannot specify the SMS Provider location to use with a specific connection session.

Note

Consider the advantages and disadvantages of each SMS Provider location and balance these considerations with the information that you cannot control which SMS Provider will be used for each new connection.

For example, when you first connect a Configuration Manager console to a site, the connection queries WMI on the site server to non-deterministically identify an instance of the SMS Provider that the console will use. This specific instance of the SMS Provider remains in use by the Configuration Manager console until the Configuration Manager console session ends. If the session ends because the SMS Provider computer becomes unavailable on the network, when you reconnect the Configuration Manager console the site will non-deterministically assign an SMS Provider computer to the new connection session. It is possible to be assigned to same SMS Provider computer that is not available. If this occurs, you can attempt to reconnect the Configuration Manager console until an available SMS Provider computer is assigned.

You use the SMS Admins group to provide administrative users access to the SMS Provider. The group is automatically created on the site server when the site installs, and on each computer that installs an SMS Provider. Additional information about the SMS Admins group:

When the computer is a member server, the SMS Admins group is created as a local group.

When the computer is a domain controller, the SMS Admins group is created as a domain local group.

When the SMS Provider is uninstalled from a computer, the SMS Admins group is not removed from the computer.

Before a user can make a successful connection to an SMS Provider, their user account must be a member of the SMS Admins group. Each administrative user that you configure in the Configuration Manager console is automatically added to the SMS Admins group on each site server and to each SMS Provider computer in the hierarchy. When you delete an administrative user from the Configuration Manager console, that user is removed from the SMS Admins group on each site server and on each SMS Provider computer in the hierarchy.

After a user makes a successful connection to the SMS Provider, role-based administration determines what Configuration Manager resources that user can access or manage.

You can view and configure SMS Admins group rights and permissions by using the WMI Control MMC snap-in. By default, Everyone has Execute Methods, Provider Write, and Enable Account permissions. After a user connects to the SMS Provider, that user is granted access to data in the site database based on their role-based administrative security rights as defined in the Configuration Manager console. The SMS Admins group is explicitly granted Enable Account and Remote Enable on the Root\SMS namespace.

The structure of the SMS Provider is defined by the WMI schema. Schema namespaces describe the location of Configuration Manager data within the SMS Provider schema. The following table contains some of the common namespaces that are used by the SMS Provider.

Namespace

Description

Root\SMS\site_<site code>

The SMS Provider, which is extensively used by the Configuration Manager console, Resource Explorer, Configuration Manager tools, and scripts.

Location of inventory reporting classes that are collected by the inventory client agent. These settings are compiled by clients during computer policy evaluation and are based on the client settings configuration for the computer.

The SMS Provider requires the following external dependency be installed on the computer that runs the SMS Provider to enable you to use operating system deployment task functions by using the Configuration Manager console:

For Configuration Manager with no service pack: Automated Installation Kit (Windows AIK)

For Configuration Manager with no service pack, the Windows AIK installs as a component of the SMS Provider. Beginning with Configuration Manager with SP1, you must manually install the Windows ADK on a computer before you can install the SMS Provider.

When you manage operating system deployments, the Windows AIK or Windows ADK allows the SMS Provider to complete various tasks, which include the following:

View WIM file details

Add driver files to existing boot images

Create boot .ISO files

The Windows AIK or Windows ADK installation can require up to 650 MB of free disk space on each computer that installs the SMS Provider. This high disk space requirement is necessary for Configuration Manager to install the Windows PE boot images.

Configuration Manager site system roles that require Microsoft Internet Information Services (IIS) also require a website to host the site system services. By default, site systems use the IIS website named Default Web Site on a site system server. However, you can use a custom website that has the name of SMSWEB. This option might be appropriate if you must run other web applications on the same server and their settings are either incompatible with Configuration Manager, or you want the additional resilience of using a separate website. In this scenario, these other applications continue to use the default IIS website, and Configuration Manager operations use the custom website.

Important

When you run other applications on a Configuration Manager site system, you increase the attack surface on that site system. As a security best practice, dedicate a server for the Configuration Manager site systems that require IIS.

You can use custom websites on all primary sites. When you use a custom website at a site, all client communications within the site are directed to use the custom website named SMSWEB on each site system instead of the default website on IIS. Additionally, site system roles that use IIS but do not accept client connections, such as the reporting services point, also use the SMSWEB website instead of the default website. For more information about which site systems require IIS, see Supported Configurations for Configuration Manager.

Before you configure a Configuration Manager site to use a custom website, you must manually create the custom website in IIS on each site system server that requires Internet Information Services (IIS) at that site. Because secondary sites are automatically configured to use a custom website when you enable this option on the parent site, you must also create a custom website in IIS on each secondary site system server that requires IIS.

If you enable custom websites for one site, consider using custom websites for all sites in your hierarchy to ensure that clients can successfully roam within the hierarchy.

Note

When you select or clear the check box to use a custom website for a site, the following site system roles that are installed on each site system server in the site are automatically uninstall and reinstalled:

When you create a custom website, you must assign port numbers to the custom website that differ from the port numbers that the default website uses. The default website and the custom website cannot run at the same time if both sites are configured to use the same TCP/IP ports.

After the site system roles are reinstalled, verify that the TCP/IP ports configured in IIS for the custom website match the client request ports for the site.

Although you can select or clear the check box to use a custom website at any time, if possible, configure this option as soon as the site is installed to minimize any disruptions to service continuity. When you make this site configuration change, plan for the site system roles that are automatically uninstalled and reinstalled with the new website and port configuration. You must also plan to manually uninstall and reinstall any site system roles that are not automatically reinstalled to use the new website and port configuration.

When you change from using the default website to use a custom website, Configuration Manager does not automatically remove the old virtual directories. If you want to remove the files that Configuration Manager used, you must manually delete the virtual directories that were created under the default website.

To use a custom website for a site, you must perform the following actions before you enable the option to use a custom website in Configuration Manager:

Create the custom web site in IIS for each site system server that requires IIS in the primary site and any child secondary sites.

Name the custom website SMSWEB.

Configure the custom website to respond to the same port that you configure for Configuration Manager client communication.

For each custom website or default website that uses a custom folder, place a copy of the default document type that you use into the root folder that hosts the website. For example, on a Windows Server 2008 R2 computer with default configurations, iisstart.htm is one of several default document types available. You can find this file in the root of the default website, and then place a copy of this file (or a copy of the default document type you use) into the root folder that hosts the SMSWEB custom website. For more information about default document types, see Default Document <defaultDocument> for IIS.

Important

When you change from using the default website and use a custom website, Configuration Manager adds the client request ports that are configured on the default website to the custom website. Configuration Manager does not remove these ports from the default website, and the ports are listed for both the default and custom website. IIS cannot start both websites when they are configured to operate on the same TCP/IP ports, and clients cannot contact the management point.

Use the information in the following procedures to help you configure the custom websites in IIS.

Note

The following procedures are for Internet Information Services (IIS) 7.0 on Windows Server 2008 R2. If you cannot use these procedures because your server has a different operating system version, refer to the IIS documentation for your operating system version.

In the Internet Information Services (IIS) Manager, edit the Bindings of the IIS website that has the duplicate ports (Default Web Site). Remove the ports that match the ports that are assigned to the custom website (SMSWEB).